Evolving risks and business technologies shift focus in security budgets
As enterprises accelerate their use of cloud computing, online services, and ready themselves for internet of things deployments, they are finding themselves strained to find the cybersecurity talent and security tools needed to secure these efforts. That’s one of the most important takeaways from the Global State of Information Security Survey (GSISS) 2017 -- a worldwide study conducted by PwC, CIO and CSO released today.
According to the GSISS survey, 59 percent of respondents say they are boosting their security spending as a result of their increased use of digital technologies, and retooling their business models to provide customers, employees, and partners evermore digital services and apps. These security efforts include increased investments in cloud computing environments, data monitoring, as well as managed security services. The survey was conducted online from April 4, 2016 to June 3, 2016.
The survey found the cybersecurity spending priorities for respondents for the next 12 months to be considerable: improved collaboration within the business (51 percent), secure changing business models (46 percent), and secure their IoT deployments (46 percent).
The broad business adoption of cloud computing outside of software development and IT continues to remain strong. While IT, not surprisingly, at 63 percent is the single largest business unit that runs functions in the cloud, others such as finance (32 percent), marketing and sales (34 percent), customer service (34 percent), and operations (35 percent) are catching up in how many business functions they run within cloud-based environments.
As these enterprise adoption trends toward cloud, mobile, and IoT accelerate, so does the impact they each have on security spending. “Security spending tends to be driven by threat changes in the short run, business technology changes take longer to impact spend, and the increased use of cloud is having the biggest impact,” says John Pescatore, director, emerging security trends at the SANS Institute.
Javvad Malik, security advocate at AlienVault and former security analyst at 451 Research, adds that part of the trend underway includes using cloud, mobile, APIs, and data to improve customer experience in intuitive ways. As a result, IT security operating models have had to change, or adjust to take into account this new reality. Perhaps the biggest change this has incurred in is abstracting security controls from the technology and more importantly away from the customer,” Malik says.
How is this being done? Malik says through increased investments in monitoring, behavioral analysis, and awareness tools. “These allow businesses to continually innovate without security being a bottleneck - and security can keep an eye on the operations,” he says. The survey found 63 percent of enterprises are running IT services in the cloud, 62 percent are using managed security services, and just over half say they are currently using security analytics.
The big security shift
How are enterprises managing their transitions to hybrid legacy, public, and private cloud environments? Those we interviewed based on these survey results unanimously said: not very well.
Martin Fisher, IT security manager at Northside Hospital and host of the Southern Fried Security Podcast, says IT operations teams are breaking into distinct groups that focus individually on internally hosted systems, while others focus on varied forms of cloud computing environments within their business. “Integration of these operations is difficult and I'm not sure, outside of the Unicorns, that anybody has it totally figured out, at least not in healthcare,” he adds.
Pescatore agrees: “Increased use of SaaS and IaaS is definitely causing breakage in security approaches. It is causing a shift in spend from security software and hardware to actually more skills on the security staff side,” he says, adding that it’s common for SANs to hear such challenges from large enterprises. The reason for this, Pescatore explains, is that “SaaS means you cannot use security agents or appliances except the big SaaS services, such as Outlook365, Google at Work, Salesforce, and so on. They have security features and APIs that can be used to extend security policies to the SaaS app -- but that takes a higher level of skill in the security staff. Similarly, in IaaS you can use software and virtual appliances,” he says.
Those higher-skilled, or nearly any-skilled actually, cybersecurity professionals are hard to come by — and continue to make enterprise IT security all the more challenging. Many enterprises are attempting to close their skills gap by turning to managed security services. According to the survey, 62 percent of respondents use security service providers to operate and enhance their IT security programs. The services they are outsourcing include authentication (64 percent), data loss prevention (61 percent), identity and access management (61 percent), real-time monitoring and analytics (55 percent), and threat intelligence (48 percent).
Malik added that enterprises have become more comfortable with outsourcing aspects of security, as well. “The irrational fear of cloud being insecure is being replaced by a more measured approach. Secondly, there's the skills gap issue. Most security teams in-house are so stretched, they don't have time to monitor and respond to all alerts — so shifting some of those tasks to a managed security services provider can help relieve some of the burden,” he said.
Fisher agrees on the skills shortage. According to Fisher, there are three primary trends underway driving the move to outsource: 1) extreme difficulty in obtaining and retaining qualified staff; 2) the infrastructures are complex and difficult to manage within the operating budgets of many organizations; 3) managed security services providers have matured to a point where there is more flexibility, for example hybrid security providers that manage the SIEM on your floor, than existed previously.
“My sense is that it's the functions that cannot be easily commoditized are staying in-house. For example ICS/SCADA and bio-medical security are very specialized that many folks would be uncomfortable outsourcing,” Fisher says. “But identity and access management is something that can likely be passed to a qualified partner. That line of what's commodity and what isn't is changing and dynamic so it's going to be challenging to make good decisions over the next couple of refresh cycles as a CISO,” advises Fisher.
A focus on threat intelligence and data sharing
Threat intelligence, data and information sharing came in big this year. Fifty-one percent of survey respondents say they use security data analytics to model cybersecurity threats and spot attacks underway. That thirst for data is another reason why enterprises are turning to cloud and outsourcing. Within those respondents that rely on managed security services, 55 percent say they rely on their providers for security monitoring and data analytics. And another benefit of these providers is their access to security operations and threat intelligence fusion centers.
Michael Echols, executive director and CEO at the International Association of Certified ISAOs (Information Sharing and Analysis Organizations), and former director at the cyber joint program management office at the U.S. Department of Homeland Security, believes enterprises are also increasingly warming up to the idea of cybersecurity information sharing. “There’s an opportunity to essentially share costs [from organizational data sharing]. With data sharing, you now have the advantage of the expertise that maybe one of your sharing partners has, or if there's someone in your particular community of interests, or region, or industry; if something is happening to them, it potentially is going to happen to you. You now have valuable threat intelligence,” says Echols.
There’s no doubt about that, and considering the acceleration of technological innovation that enterprises are adopting, and the determination and persistence of today’s attackers – CISOs need every edge they can find.